Cybersecurity Executive Order Touts More Regulation as the Solution

As if the flood of regulations coming after the election weren’t bad enough, a draft of the newest cybersecurity executive order obtained by Heritage reveals that even more regulations are coming.

This draft executive order is similar to the failed Cybersecurity Act of 2012 in that it proposes additional regulations as a solution to the U.S.’s cybersecurity woes. A regulatory executive order for cybersecurity is flawed and insufficient, and it ignores the deliberative process of Congress, which has thus far rejected a regulatory approach.

The executive order starts with several pages that talk about voluntary cybersecurity regulation and having the Department of Homeland Security (DHS) work with other agencies to come up with cybersecurity best practices. This innocent enough beginning is soon superseded in section 7 of the draft.

In that section, regulators are first charged with determining what pre-existing authority they have that would allow them to regulate cybersecurity. Next, the order instructs DHS to use the list of best practices to create a “prioritized… set of actions” that should be taken to “mitigate or remediate identified cybersecurity risks.” Finally, the executive order says that regulators “are encouraged to propose regulations…based on such set of prioritized actions.”

This executive order is being hyped as a voluntary effort with public–private partnership and cooperation. However, it is not much of a partnership if the government is just telling the private sector what to do through regulations. Most importantly, regulations are the wrong approach to cybersecurity for several reasons.

First, regulations are static solutions to a dynamic problem. There is no way that regulations will be able to keep up with the rapidly changing threat, since it takes major regulations from two to three years to be written. In that time, the processing power of computers will double or quintuple. It would be like if a nation built a wall to stop its enemy, but the enemy invented newer, faster tanks that just go around the wall. Regulations will not help the private sector combat newer and more powerful cyber attacks.

Second, regulations create a false sense of security and an attitude of compliance. The private sector would follow the regulations and do little more. After all, if it follows the regulations, the government has declared that the private sector is doing cybersecurity right. This will give the private sector the wrong incentive. Instead of promoting the adoption of the most appropriate cybersecurity system, regulations merely encourage the private sector to meet the outdated standards.

Third, regulations hinder innovation. Since companies will try to meet outdated cybersecurity regulations, cybersecurity companies will focus on meeting this demand. However, time spent meeting this demand for older cybersecurity approaches is time not being spent innovating ways to fight newer threats.

Finally, the costs of regulations are simply unknown. The regulations could tell the private sector to buy costly but antiquated cybersecurity systems. There is no way to know until the regulations are written.

A better solution to cybersecurity would involve effective information sharing, as it can keep up with the daily changes in cybersecurity threats. The executive order, however, admits that it “cannot establish” the correct incentives to enable information sharing.

Instead of continuing with this flawed regulatory approach, President Obama should let Congress continue its deliberations and develop a constructive cybersecurity policy.

David Inserra specializes in cyber and homeland security policy, including protection of critical infrastructure, as policy analyst in The Heritage Foundation’s Allison Center for Foreign Policy Studies. Read his research.

Regulations don't stifle innovation. The Internet is one of the most regulated things in the world. It has thousands of RFCs, thousands of Internet Drafts, thousands of minor regs like the PKCS series. These regulations set a bar for entry, but at the same time guarantees a minimum level of service and interoperability.

Security can be regulated, even in a changing environment. There are best practices which have been known since the Morris worm in the late 1980s. Firewalls, intrusion detection systems, password policies, key strength, key sharing rules, etc. It's easy to set a minimum acceptable criteria that will block the vast majority of attacks. The reason why security is such a fluid field is because people don't implement these policies. In systems where the policies have been in place a long time, like Unix and Linux, they still apply. This article's assertions are like saying "people get sick from a variety of different things, so it doesn't make sense to tell you to wash your hands." There will always be a new attack, but we have to start with preventing the Internet version of the flu.

Third, maybe they're right that the cost of implementation is not known. The cost of not implementing is also not know. But, we know the cost of not implementing is many times greater than the cost of implementing. That's good enough.

Don’t have time to read the Washington Post or New York Times? Then get The Morning Bell, an early morning edition of the day’s most important political news, conservative commentary and original reporting from a team committed to following the truth no matter where it leads.

Email address

Ever feel like the only difference between the New York Times and Washington Post is the name? We do. Try the Morning Bell and get the day’s most important news and commentary from a team committed to the truth in formats that respect your time…and your intelligence.